CVE-2025-28974 is a high-severity vulnerability identified in the Free WP Mail SMTP plugin developed by mail250, affecting versions up to 1.0. The vulnerability is classified as a Cross-Site Request Forgery (CSRF) issue (CWE-352) that enables an attacker to perform unauthorized actions on behalf of an authenticated user. Specifically, this CSRF flaw allows an attacker to inject Stored Cross-Site Scripting (XSS) payloads into the plugin's functionality. Stored XSS occurs when malicious scripts are permanently stored on the target server (e.g., in a database) and executed in the context of users’ browsers when they access affected pages. The CVSS 3.1 base score of 7.1 reflects a high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality, integrity, and availability at a low level, but the combination of CSRF and stored XSS can lead to session hijacking, unauthorized actions, and potentially privilege escalation or further compromise of the WordPress environment. No patches or known exploits in the wild are currently reported. The vulnerability affects the Free WP Mail SMTP plugin, a widely used WordPress plugin for configuring SMTP mail sending, which is critical for website communication and notifications. The lack of a patch at the time of publication increases the urgency for mitigation.

For European organizations, this vulnerability poses a significant risk to websites running WordPress with the Free WP Mail SMTP plugin installed. Exploitation could lead to unauthorized changes in mail configurations, injection of malicious scripts that compromise user sessions, and potential data leakage or defacement. Given the widespread use of WordPress across European businesses, including SMEs and large enterprises, the impact could extend to customer trust, regulatory compliance (e.g., GDPR), and operational disruptions. Attackers could leverage this vulnerability to send phishing emails from legitimate domains, manipulate email content, or gain footholds for further attacks within the network. The stored XSS aspect increases the risk of persistent compromise affecting multiple users. The requirement for user interaction (e.g., clicking a crafted link) means social engineering could be used to trigger the exploit. The vulnerability’s ability to affect confidentiality, integrity, and availability, even at low levels, combined with the changed scope, makes it a serious concern for organizations relying on email communications and WordPress-based web presence in Europe.

1. Immediate mitigation should include disabling or uninstalling the Free WP Mail SMTP plugin until an official patch is released. 2. Monitor official vendor channels and security advisories for patches or updates addressing CVE-2025-28974 and apply them promptly. 3. Implement Web Application Firewall (WAF) rules to detect and block CSRF attempts and suspicious POST requests targeting the plugin’s endpoints. 4. Enforce strict Content Security Policy (CSP) headers to mitigate the impact of stored XSS by restricting script execution sources. 5. Educate users and administrators about the risks of clicking unsolicited links or performing actions without verifying authenticity to reduce successful social engineering. 6. Regularly audit WordPress plugins and their permissions, minimizing the number of users with administrative privileges to limit potential damage. 7. Employ security plugins that provide additional CSRF and XSS protections for WordPress environments. 8. Conduct penetration testing focusing on CSRF and XSS vectors to identify residual risks. 9. Maintain comprehensive backups to enable recovery in case of compromise.